Spotlight on Surveillance: October 2005

Registered Traveler Card: A Privatized Passenger ID

The federal government is spending an increasing amount of money on surveillance technology and programs at the expense of other projects. EPIC's "Spotlight on Surveillance" project scrutinizes these surveillance programs. For more information, see previous Spotlights on Surveillance.

This month, Spotlight focuses on the Transportation Security Administration's Registered Traveler program. The government pilot program began a year ago and recently ended at five airports; however, a private business is continuing the program at Orlando International Airport and there are plans to expand the air traveler prescreening program to many airports across the nation.1

The government has spent about $20 million on the pilot Registered Traveler program.2 The federal test program ended last month when Fiscal Year 2005 ended because no money has been allotted toward the program in the Fiscal Year 2006 budget.3 However, the Transportation Security Administration (TSA) continues to conduct background checks on applicants and members of the private program, named Clear and operated by Verified Identity Pass Inc., at a cost of $30 to $50 per check, paid for by TSA.4

From July 2005 (the beginning of the privately run Clear program at Orlando airport) to September 2005, about 8,600 people have joined Clear.5 The applicant, who must be a U.S. citizen or permanent foreign national, pays an annual fee of $79.95 to join.6 To apply, the applicant first completes a form that asks for biographical information including: previous home addresses for the past five years, Social Security number,7 Alien Registration Number and date of arrival in the United States (if applicable), and driver's license number.8 Once the applicant completes the form, he must go to a ClearSpace Enrollment Station (as of now, only located at Orlando International Airport). The applicant must bring two forms of identification, one of which must be a photo ID. The acceptable identification documents include unexpired U.S. passport; military, voter registration or Social Security cards; unexpired driver's license; or original or certified birth certificate.9 Clear then says that:

We carefully examine these documents for authenticity using the latest document inspection technology to detect tampering or counterfeiting. So that we have a complete record of your application, we store in a separate, secure database the biographical information and an image of the documents you submit to enroll.10

Applicants to the Clear Registered
Traveler program must submit
both iris and fingerprint scans.

The applicant then submits digital images of his fingerprints and iris, and a digital photo. Clear then "create[s] and store[s] a template, or mathematical representation, of the finger and iris images, to create a unique biometric ID of the Member."11 Then, all of the data submitted by the applicant is sent to TSA, which then creates the applicant's "security threat assessment" based upon a background check that includes its controversial "no-fly lists."12 TSA continues to conduct security reviews of Clear members throughout their membership, and if a person's security threat assessment changes from approved to unapproved, the person is informed and their Clear membership discontinued.13 A rejected applicant cannot appeal this decision, and TSA will not disclose any information as to why the person was rejected.14

Significant privacy and security risks are inherent in this Registered Traveler program. First, there is a substantial security risk as the divides travelers into categories whose criteria can be learned and exploited. Second, there is a privacy risk because the program's members will not have the protections of the Privacy Act of 1974, as only government agencies are subject to the law. Third, the program has a risk of mission creep - a risk that information volunteered will be used for reasons not related to their original aviation security purposes.

First, the program creates two classes of travelers: trusted and not trusted. But, as security expert Bruce Schneier has explained, this program also creates a third category: "bad guys with the card."15 Criminals will choose applicants without previous links to terrorism, who can pass the background checks, to commit their crimes.16 (Schneier also has noted that, because Clear discontinues the membership of anyone who fails the continuous TSA security review, potential terrorists can pay $80 per year to "be automatically notified if the Department of Homeland Security is onto him.")17

Airports that have joined the Registered Traveler Interoperability Consortium:

Albany International Airport

Atlantic City International Airport

Bangor International Airport

Blue Grass Airport

Boston Logan International Airport

Chattanooga Metropolitan Airport Authority

Dallas Fort Worth International Airport *

Denver International Airport *

Dickinson Theodore Roosevelt Regional Airport

Flagstaff Pulliam Airport

Fort Wayne International Airport

Ft. Lauderdale-Hollywood Int'l Airport

Grand Forks Regional Airport Authority

Greater Orlando Aviation Authority

Greater Rockford Airport Authority

Jackson Hole Airport

Kent County Department of Aeronautics

Lafayette Regional Airport

Lambert-St. Louis International Airport

Lihue Airport

Metropolitan Knoxville Airport Authority

Metropolitan Nashville Airport Authority

Mid-Ohio Valley Regional Airport

Minneapolis St. Paul International Airport *

Monterey Peninsula Airport

Myrtle Beach International Airport

Northwest Arkansas Regional Airport

Northwestern Regional Airport Commission

Palm Beach International Airport

Palm Springs International Airport

Peninsula Airport Commission

Philadelphia International Airport

Phoenix Sky Harbor *

Pittsburgh Int'l Airport-Allegheny County Airport Authority

Port Columbus International Airport *

Port Of Seattle/Sea-Tac Int'l Airport

Pullman-Moscow Regional Airport

Redmond Airport

Reno Tahoe Airport Authority

Rhode Island Airport Corporation

Roanoke Regional Airport Commission

San Francisco International Airport *

Santa Barbara Airport

Shenandoah Valley Regional Airport

Washington Authority's Reagan Washington National and Dulles International Airports *

Second, the private company would be in charge of verifying identity documents and maintaining a database full of personally identifiable data and images of the identity documents submitted by U.S. citizens and permanent foreign residents. The private company, unlike TSA and other federal government agencies, is not subject to the restrictions of the Privacy Act of 1974.18 When passing the Privacy Act, Congress sought to restrict amount of personal information that federal agencies could collect and required agencies to be transparent in their information practices.19 The members of the Clear Registered Traveler program would be subject to the private company's choice of what data to collect, how and where to store the data, and who has access to the data.

The information would not necessarily have stringent privacy protections when transmitted to TSA, however. TSA exempted the Registered Traveler records system from many protections the Privacy Act is intended to provide.20 TSA's notice leaves it under no legal obligation to inform the public of the categories of information contained in the system or provide the ability to access and correct records that are irrelevant, untimely or incomplete.

"Member[s] can request a copy of everything that Verified ID and its subcontractors have in their information systems files for the Clear Program identified to the Member personally, and Verified ID and its subcontractors will provide this information," according to the Clear program.21 However, TSA conducts a "Security Threat Assessment" of all applicants to determine if they can join the Clear program, and the reasons behind a positive or negative Security Threat Assessment are not communicated to applicants or the Clear program.22 Applicants cannot appeal such assessments by TSA.23

The lack of access and correction is especially troubling in light of the fact that documents recently obtained by EPIC under the Freedom of Information Act show nearly a hundred complaints from airline passengers between November 2003 and May 2004 about the government's traveler screening security measures.24 The most common complaint from travelers is that they have been wrongly placed on a government watch list.25 The Transportation Security Administration maintains "selectee" and "no fly" watch lists of individuals suspected of posing a risk to air travel safety. When a passenger checks in for a flight, he may be labeled a threat if his name matches an entry on one of the watch lists, even if he is not the person actually on the list. People who are identified as watch list matches may experience long screening delays or not be allowed to board the plane.

TSA maintains that it has an adequate redress process to clear individuals improperly matched to watch lists; however, it is well known that individuals encounter difficulty in resolving such problems. Senators Ted Kennedy (D-MA) and Don Young (R-AK) are among the individuals who have been improperly flagged by watch lists.26 Sen. Kennedy was able to resolve the situation only by enlisting the help of then-Homeland Security Secretary Tom Ridge; unfortunately, most people do not have that option. A clear, timely, access and correction procedure is vital for the Clear Registered Traveler program. The watch-list complaints show that mistakes are made that significantly affect innocent Americans. As of now, Registered Traveler applicants who receive a negative Security Threat Assessment do not even have the redress process offered to those incorrectly matched to watch lists.TSA also has recently been criticized for its administration of the test passenger prescreening program, Secure Flight, which is similar to Registered Traveler. The agency began testing the Secure Flight system earlier this year. In June, however, TSA admitted that it had collected and maintained detailed commercial data about thousands of travelers in violation of a notice published last fall stating it would not do so.27 In July, the Government Accountability Office (GAO) concluded that these actions violated the Privacy Act.28 According to the GAO letter, "the agency did not provide appropriate disclosure about its collection, use and storage of personal information as required by the Privacy Act," and "[a]s a result of TSA's actions, the public did not receive the full protections" of the law.29 Stringent privacy protections are necessary, and it has been shown that travelers' rights are not secure even when the program is administered by a federal agency subject to privacy laws. The privacy rights of travelers would receive far less legal protection under a program administered by a private company not subject to the Privacy Act of 1974.

A third risk associated with the Clear and federal Registered Traveler program is that of mission creep. Program applicants must submit a substantial amount of personally identifiable information that Clear keeps - including biometric data and digital images of identity documents, such as birth certificates, Social Security cards, and driver's licenses. It is possible for Clear program members to be tracked, because Clear "will maintain 'log files' of entrances to local venues."30 The company states that it keeps the log files only at the local venue and these files are automatically purged every 24-48 hours.31 However, the possibility for easily tracking travelers is there, and it would be tempting to use the excuse that "homeland security" and "terrorism prevention" demand that such tracking be done.

In the past, TSA has exhibited a proclivity for using personal information for reasons other than the ones for which the information was gathered or volunteered. Though TSA has stated that it will not use the sensitive personal data of tens of millions of Americans for non-aviation security purposes, TSA documents about another passenger prescreening program similar to Registered Traveler, the CAPPS II program, collected by EPIC under the FOIA clearly show that TSA had considered using personal information gathered for CAPPS II for reasons beyond its original purposes. For example, TSA stated that CAPPS II personal data might be disclosed to federal, state, local, foreign, or international agencies for their investigations of statute, rule, regulation or order violations.32

In the case of Registered Traveler, TSA has identified thirteen categories of "routine uses" of personal information that will be collected and maintained in the program's system of records. In one category, TSA anticipates disclosure to "the appropriate Federal, State, local, tribal, territorial, foreign or international agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, where TSA becomes aware of an indication of a violation or potential violation of civil or criminal law or regulation."33 This category is so broad as to be almost meaningless, allowing for potential disclosure to virtually any government agency worldwide for a vast array of actual or "potential" undefined violations.

Beyond the above mission creep possibilities, there are the comments made by Steven Brill, who runs the Clear program's parent company Verified Identity Pass Inc. Brill has said that he envisions the Clear card becoming more than just an aviation security ID card. Brill's company has partnered with rental car company Hertz and online travel booking company Orbitz to market the Clear program cards, and is expected to announce a partnership with an airline soon.34 Brill has said that he hopes the Clear ID card would also be used at office buildings, power plants and stadiums.35 The development of such an unregulated ID system has significant implications for Americans. Entry into an office building or stadium should not be conditioned upon whether the person can afford a privatized ID card.

1 The pilot program was launched by the Transportation Security Administration at six airports in Boston, Houston, Los Angeles, Minneapolis, and Washington, DC. To date the only privately run Registered Traveler program is at Orlando International Airport, but the Registered Traveler Interoperability Consortium hopes to deploy private Registered Traveler programs at 50 airports around the nation. Thomas Frank, Biometric IDs could see massive growth, USA Today, Aug. 15, 2005; Registered Traveler Interoperability Consortium athttp://www.rtconsortium.org.

7 Clear states that the applicant does not have to submit his Social Security Number, but "the absence of this data may delay or prevent the completion of the security assessment, without which the applicant may not be permitted to participate in this program." Id.